Hello,
I am using X2Go under Debian with Openbox. I have upgraded to Debian Buster, I didn't use to experiment the problem below with Debian Stretch. My problem is about running graphical clients (like xeyes, xterm, gvim, etc.) from a console logged in either as a "simple" user ("user_2" below) or as "root". "user_2" cannot run these clients, "root" can. I would like both of them to be able to run these clients. Below, is what happens ("user_1" is the user that started the X2Go session, it is also a "simple" user).
user_1> su user_2 Password: No protocol specified xrdb: Resource temporarily unavailable xrdb: Can't open display ':50'
user_2> exit
user_1> su Password: root> xeyes <OK>
Can you tell me how to allow "user_1" to run graphical clients like xeyes, xterm, gvim, etc.?
Léa
You are switching users without passing the display authorization cookie. The easiest way to achieve this is probably using ssh: instead of executing "su user_2" call "ssh -X user_2@localhost".
The problem is access to the xauthority file of user_1 (the path is stored in the XAUTHORITY environment, usually /home/user_1/.Xauthority.). This file contains the cookie you need to access the display. As user_2 you are not allowed to read that file while as user root you can read it.
Uli
On Fri, Dec 27, 2019 at 3:45 PM Lmhelp1 <lmhelp1@orange.fr> wrote:
Hello,
I am using X2Go under Debian with Openbox. I have upgraded to Debian Buster, I didn't use to experiment the problem below with Debian Stretch. My problem is about running graphical clients (like xeyes, xterm, gvim, etc.) from a console logged in either as a "simple" user ("user_2" below) or as "root". "user_2" cannot run these clients, "root" can. I would like both of them to be able to run these clients. Below, is what happens ("user_1" is the user that started the X2Go session, it is also a "simple" user).
user_1> su user_2 Password: No protocol specified xrdb: Resource temporarily unavailable xrdb: Can't open display ':50'
user_2> exit
user_1> su Password: root> xeyes <OK>
Can you tell me how to allow "user_1" to run graphical clients like xeyes, xterm, gvim, etc.?
Best regards,
Léa
x2go-user mailing list x2go-user@lists.x2go.org https://lists.x2go.org/listinfo/x2go-user
Hello Uli,
Thank you for your answer and for the explanations.
"ssh -X user_2@localhost" works fine indeed.
Uli> The problem is access to the xauthority file of user_1
I created a group "simple_users" and put "user_1" and "user_2" in that group. I changed the owner group of "/home/user_1/.Xauthority" to "simple_users" and set permissions to 660.
chown user_1:simple_users /home/user_1/.Xauthority chmod 660 /home/user_1/.Xauthority
Then I re-tried the experiment:
user_1> su user_2 Password:
I don't get the error that I reported in my first post (No protocol specified xrdb: Resource temporarily unavailable xrdb: Can't open display ':50').
Yet, when I run xeyes, I get an error:
user_2> xeyes No protocol specified Error: Can't open display ':50'
Léa
On 27/12/2019 4:17 PM, Ulrich Sibiller wrote:
You are switching users without passing the display authorization cookie. The easiest way to achieve this is probably using ssh: instead of executing "su user_2" call "ssh -X user_2@localhost".
The problem is access to the xauthority file of user_1 (the path is stored in the XAUTHORITY environment, usually /home/user_1/.Xauthority.). This file contains the cookie you need to access the display. As user_2 you are not allowed to read that file while as user root you can read it.
Uli
On Fri, Dec 27, 2019 at 3:45 PM Lmhelp1 wrote:
Hello,
I am using X2Go under Debian with Openbox. I have upgraded to Debian Buster, I didn't use to experiment the problem below with Debian Stretch. My problem is about running graphical clients (like xeyes, xterm, gvim, etc.) from a console logged in either as a "simple" user ("user_2" below) or as "root". "user_2" cannot run these clients, "root" can. I would like both of them to be able to run these clients. Below, is what happens ("user_1" is the user that started the X2Go session, it is also a "simple" user).
user_1> su user_2 Password: No protocol specified xrdb: Resource temporarily unavailable xrdb: Can't open display ':50'
user_2> exit
user_1> su Password: root> xeyes <OK>
Can you tell me how to allow "user_1" to run graphical clients like xeyes, xterm, gvim, etc.?
Best regards,
Léa
x2go-user mailing list x2go-user@lists.x2go.org https://lists.x2go.org/listinfo/x2go-user
Léa,
You will need to grant user_2 the x bit on user_1's home directory so that they can access /home/user_1/.Xauthority. I think most distros set $HOME permissions to 700, you may try setting it to 711 or adding user_2 to the user_1 gid and using 710 (depending on your security model).
Cheers, Bryan
On Fri, Dec 27, 2019 at 11:30 AM Lmhelp1 <lmhelp1@orange.fr> wrote:
Hello Uli,
Thank you for your answer and for the explanations.
"ssh -X user_2@localhost" works fine indeed.
Uli> The problem is access to the xauthority file of user_1
I created a group "simple_users" and put "user_1" and "user_2" in that group. I changed the owner group of "/home/user_1/.Xauthority" to "simple_users" and set permissions to 660.
chown user_1:simple_users /home/user_1/.Xauthority chmod 660 /home/user_1/.Xauthority
Then I re-tried the experiment:
user_1> su user_2 Password:
I don't get the error that I reported in my first post (No protocol specified xrdb: Resource temporarily unavailable xrdb: Can't open display ':50').
Yet, when I run xeyes, I get an error:
user_2> xeyes No protocol specified Error: Can't open display ':50'
Best regards,
Léa
On 27/12/2019 4:17 PM, Ulrich Sibiller wrote:
You are switching users without passing the display authorization cookie. The easiest way to achieve this is probably using ssh: instead of executing "su user_2" call "ssh -X user_2@localhost".
The problem is access to the xauthority file of user_1 (the path is stored in the XAUTHORITY environment, usually /home/user_1/.Xauthority.). This file contains the cookie you need to access the display. As user_2 you are not allowed to read that file while as user root you can read it.
Uli
On Fri, Dec 27, 2019 at 3:45 PM Lmhelp1 wrote:
Hello,
I am using X2Go under Debian with Openbox. I have upgraded to Debian Buster, I didn't use to experiment the problem below with Debian Stretch. My problem is about running graphical clients (like xeyes, xterm, gvim, etc.) from a console logged in either as a "simple" user ("user_2" below) or as "root". "user_2" cannot run these clients, "root" can. I would like both of them to be able to run these clients. Below, is what happens ("user_1" is the user that started the X2Go session, it is also a "simple" user).
user_1> su user_2 Password: No protocol specified xrdb: Resource temporarily unavailable xrdb: Can't open display ':50'
user_2> exit
user_1> su Password: root> xeyes <OK>
Can you tell me how to allow "user_1" to run graphical clients like xeyes, xterm, gvim, etc.?
Best regards,
Léa
x2go-user mailing list x2go-user@lists.x2go.org https://lists.x2go.org/listinfo/x2go-user
x2go-user mailing list x2go-user@lists.x2go.org https://lists.x2go.org/listinfo/x2go-user
Hello Bryan,
Permissions (by default) are 755 for "/home/user_1/"...
Léa
On 27/12/2019 6:02 PM, Bryan Roessler wrote:
Léa,
You will need to grant user_2 the x bit on user_1's home directory so that they can access /home/user_1/.Xauthority. I think most distros set $HOME permissions to 700, you may try setting it to 711 or adding user_2 to the user_1 gid and using 710 (depending on your security model).
Cheers, Bryan
On Fri, Dec 27, 2019 at 11:30 AM Lmhelp1 <lmhelp1@orange.fr <mailto:lmhelp1@orange.fr>> wrote:
Hello Uli, Thank you for your answer and for the explanations. "ssh -X user_2@localhost" works fine indeed. Uli> The problem is access to the xauthority file of user_1 I created a group "simple_users" and put "user_1" and "user_2" in that group. I changed the owner group of "/home/user_1/.Xauthority" to "simple_users" and set permissions to 660. > chown user_1:simple_users /home/user_1/.Xauthority > chmod 660 /home/user_1/.Xauthority Then I re-tried the experiment: user_1> su user_2 Password: I don't get the error that I reported in my first post (No protocol specified xrdb: Resource temporarily unavailable xrdb: Can't open display ':50'). Yet, when I run xeyes, I get an error: user_2> xeyes No protocol specified Error: Can't open display ':50' Best regards, -- Léa On 27/12/2019 4:17 PM, Ulrich Sibiller wrote: > You are switching users without passing the display authorization > cookie. The easiest way to achieve this is probably using ssh: instead > of executing "su user_2" call "ssh -X user_2@localhost". > > The problem is access to the xauthority file of user_1 (the path is > stored in the XAUTHORITY environment, usually > /home/user_1/.Xauthority.). This file contains the cookie you need to > access the display. As user_2 you are not allowed to read that file > while as user root you can read it. > > Uli > > On Fri, Dec 27, 2019 at 3:45 PM Lmhelp1 wrote: >> Hello, >> >> I am using X2Go under Debian with Openbox. >> I have upgraded to Debian Buster, I didn't use to experiment the problem >> below with Debian Stretch. >> My problem is about running graphical clients (like xeyes, xterm, gvim, >> etc.) from a console logged in either as a "simple" user ("user_2" >> below) or as "root". >> "user_2" cannot run these clients, "root" can. >> I would like both of them to be able to run these clients. >> Below, is what happens ("user_1" is the user that started the X2Go >> session, it is also a "simple" user). >> >> user_1> su user_2 >> Password: >> No protocol specified >> xrdb: Resource temporarily unavailable >> xrdb: Can't open display ':50' >> >> user_2> exit >> >> user_1> su >> Password: >> root> xeyes >> <OK> >> >> Can you tell me how to allow "user_1" to run graphical clients like >> xeyes, xterm, gvim, etc.? >> >> Best regards, >> -- >> Léa >> >> _______________________________________________ >> x2go-user mailing list >> x2go-user@lists.x2go.org <mailto:x2go-user@lists.x2go.org> >> https://lists.x2go.org/listinfo/x2go-user _______________________________________________ x2go-user mailing list x2go-user@lists.x2go.org <mailto:x2go-user@lists.x2go.org> https://lists.x2go.org/listinfo/x2go-user